If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

UNIX - Linux - BSD Security Tips

This is a thread I've decided to do just really to get a feel for all the ways people here lock down their *NIX machines. If you use any form of UNIX, and lock it down, reply with what steps you generally take, and share how they work.

I'll be replying as well to pop in with what I've done before, and what I do now. So anyway, you can reply with whatever style you'd like, just eb sure to list the following:

Of course, I always route my machine through my DLink Gaming router which has MAC filtering on both wired and wireless connections and only includes the MAC addresses of the four machines we have in our apartment. Of course, it's on a different channel, uses WPA-PSK, and has a password that resembles vaguely pronounceable line noise. Port forwarding is on and only absolutely needed ports are let through to my linux server (20/21 for ftp, 22 for ssh, 80 for apache, and teamspeak ports). I send inbound 139-145 port traffic to a nonexistent ip address.

On the linux side, I turn off services I don't need (YMMV) and have hardcoded iptables set to reject anything that might've made it through the router that shouldn't have. For Windows, I basically turn off every service I think won't hamper the machine's performance (ATI Catalyst uses the event log so don't turn that off, haha).

I know I deviated a little from the "what do you do for your *nix security" but I know I'm not the only one using a multi-OS environment.

We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.

Great thread to share ideas in. I'm confident by the time I post this almost all the good stuff will be listed, so I'm attempting not to duplicate their posts...OPENSSH, Secure FTP, etc.

I begin my attempts to harden the home *nix Box before the actual install. I'm a firm believer in mapping out my Hard Drive (on paper) before I actually create the partitions. Because I do not use the default partitioning schemes. I picked this habit up back in earily 2000 after reading "Maximum Linux Security", by Anonymous. The author indicated that if you lump everything into one partition, that it would be child's play to flood your entire file system and everything would come to all stop. I was intrigued by the prospects of creating the "all stop" scenario so I completed a bare bones install of RH and left very little room in the partition. Then I made sure everything that could be logged - was, hooked that puppy on a hub and commenced to create logging events for the bare bones via my other computer. It didn't take too long and "all stop" was achieved! Then I started all over and created very small /var & /tmp partitions and repeated the fun. Although I flooded those two partitions, the OS was still useable and I was able to delete all the junk I tossed into /var & /tmp. So at a minimum I always create four (04) partitions. Swap, /, /var, & /tmp. If I'm really limited on space, the /var & /tmp will only be about 250 - 500 mbs. If space is not an issue I like a gig each on those two (I like things logged!) I also create a /boot partition of 100 mbs for similiar reasons. Additionally there are other partitions you can create as well. Some might be proprietary so read the manual and it will also require more planning.

Turning off all services was previously mentioned, however some folks may not have any idea what to secure. I'm sure we were all in that boat at one time. It doesn't take to long to learn, but I did have some help initially. About the same time earlier frame, I was using "Bastille" to shut down services I didn't really require. After awhile, I started exploring the program a little and determined what it was actually doing. It wasn't too much longer and I didn't require the assistance of that program. So that may be a good starting point for new users if you have a *nix that doesn't walk you through it or do it automatically during the install.

We are always very eager to immediately test-run our new install on the Internet. Obviously don't fall prey to the urges until you have it behind a firewall. With my particular home network, you can plug any computer that does not have a firewall, etc., into the switch and you are behind some protection for the updates, etc.. From the wall outlet it is ADSL --> Smoothwall (IPTables & Snort) --> Router (NAT) --> Smart Hub --> Computers. So as we mention many times, have a properly configured firewall up before going online. Then I like to go immediately to the updates/patches.

My current home OS's: SuSE 10.0 & XP on a 120gb HDD and on the 80gb HDD - WIN98 & used to be Slack however I'm clearing it out to play with Ubuntu.

I update SUSE before it's even booted as it has this option and I love it. Before the box has bnooted up, all updates are installed EXCEPT for the Kernel. I always wait for that and it's a good idea to do so.

then I start my methods:

The firewall is on by default with SUSE, SSH is running but not allowed through, I generally sllow SSH though in case for some reason the machine starts freezing up, that way I can SSH in and kill off whatever might be making the box lag.

If I'm setting up an FTP server, I open the required ports, and load up the service, but I don't do this until I've configured it how I like it.

I have a copy of my configuration files for my server machines I store on my FTP server, and on CD so I don't have to sit and toy with it all day to make it how I want it.

I have one for PureFTPd and VSFTPd.

Also SUSE has X11 forwarding and listening off by default and has done this for a long time. Most distros still have X11 listening by default, SUSE doesn't.

when this has finished, you have a fairly good lock down. But don't forget:

SUSE comes with "Harden_SUSE" and "Bastille" and you can use either. Also SUSE has something soem distros leave out:

AntiVirus.

Even though Linux isn't really at risk, they work good. I've tested them ebfore and used them with real world scenarios where on a list you may get soemone who sends a virii to mailing lists, and ti always picks them up.

If I'm setting up a server where security is the word:

vim /dev/securetty

And comment everything but /dev/tty1

This only allows root to log in from the first console. It's another good idea.

I do similar stuff with Slackware and FreeBSD, except on FreeBSD I don't install updates. (I've been going back and forth with the security team for FreeBSD on a new em,thod so it doesn't take so long to install something as simple as a fix).

Instead I have two routers and a switch, which sit on front of all machines, and I either use virtual servers from the routers, or just pop one of the machine in then DMZ to allow people to connect.

These methods work well and keep the un locked machines safe and secure behind them.

I also want to point out, in YAST2 use the sysconfig editor to edit configuration files with YAST2 and it's a little easier than doing it in VI and you have a helper there if you need it.

I also shut down services I'm not using.

One thing I did as a test:

I installed SUSE and Slackware, did it minimum, and made them FTP servers. To date no one has broke in. They are stripped down to the bare bones, and whatever service is needed and nothing more, and updated.

Something I was hoping to see:

It's possible to take a UNIX based OS, and strip it down to nothing but the Kernel, and hack the service into the Kernel, and discard anything not related. It's DAMN hard to break into a machine that someone has done this to.

OpenBSD does something any OS could do. They ship with everything turned off by default. SUSE could do the same thing...

Why not go over WHY you like OpenBSD? I'd personally like to know the strong points of your useage of it, and I'm sure others would as well, and being that you're one of the very few users of it here that I know of, it would be helpful for people who are thinking about using it.

/me using Gentoo.
Avoids all sort of RPM Hell and I liked the use flag concept coupled with ports
Least no. of services to start at bootup..regular updates... including kernel (genkernel rocks)
keep me on a bit safe side.

I just wanted a user of ti to pop in with reasons, as some people, including me at times, think that that is it's major strong point.

Would be good to clear up a lot fo things it seems.

Gentoo I have mixed feelings about... Well, mainly because it seems every day there is at least two new updates. I know obviously you'd make a cron job to update everything non critical, like stuff that sin't the Kernel, or X or the system tools, or make a Perl script to do it, but it just seems odd they have so many updates.

Now SUSE I know doesn't have as many because I know for a fact they do code audots on the entire system and have been doing so for quite some time.